Contrib.social

Replace the extension php5 in file_save_upload()

Open on Drupal.org →
Created on 6 June 2015, over 9 years ago
Updated 24 April 2024, 7 months ago

This was initially reported to the security team ( #136958: Service Links Not Showing When I Upload Attachment ). There is some overlap with #2450963: [policy] Should we treat files that end with .php[345]?, .pht, .phtml files as include files or independent scripts? .

Problem: The file extension 'php5' is currently not considered insecure in file_save_upload().

if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
🐛 Bug report
Status

Closed: outdated

Version

7.0 ⚰️

Component
File system 

Last updated about 3 hours ago

Created by

🇳🇱Netherlands dokumori Utrecht

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 7 months ago
    🇮🇹Italy apaderno Brescia, 🇮🇹

    The currently used code is the following one.

      else {
    // No validator was provided, so add one using the default list.
    // Build a default non-munged safe list for file_munge_filename().
    $extensions = 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp';
    $validators['file_validate_extensions'] = array();
    $validators['file_validate_extensions'][0] = $extensions;
  }
  if (!variable_get('allow_insecure_uploads', 0)) {
    if (!empty($extensions)) {

      // Munge the filename to protect against possible malicious extension hiding
      // within an unknown file type (ie: filename.html.foo).
      $file->filename = file_munge_filename($file->filename, $extensions);
    }

    The code does not even check for the following extensions: .php, .pl, .py, .cgi, .asp, .js. Either the code became too permissive, or those extensions are handled by a different function.

  • Status changed to Closed: outdated 7 months ago
  • Comment 7 months ago
    🇮🇹Italy apaderno Brescia, 🇮🇹

    Actually, the code only allows the extensions passed in $extensions.
    file_validate_extensions(), called from the code I shown in the previous comment, contains the following code.

    function file_validate_extensions(stdClass $file, $extensions) {
  $errors = array();
  $regex = '/\\.(' . preg_replace('/ +/', '|', preg_quote($extensions)) . ')$/i';
  if (!preg_match($regex, $file->filename)) {
    $errors[] = t('Only files with the following extensions are allowed: %files-allowed.', array(
      '%files-allowed' => $extensions,
    ));
  }
  return $errors;
}

    It seems this issue became outdated.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024