Contrib.social

IMCE does not accept custom extensions in profile

Open on Drupal.org →
Created on 5 February 2023, almost 2 years ago

Problem/Motivation

Hi everyone
Here is to report back a security issue and operational issue with IMCE file manager.
In Drupal 10.0.x and Drupal 9.5.x which has been examined the Admin profile extensions of all types are allowed (security concern!). If someone tries to define a specific format, let say for uploading image file types (Jpg, jpeg, png) and define the settings and save the admin profile form, then the IMCE file manager would not allow the customized formats.
The issue is seen by entering file formats in capital letters and small letters with no avail. Only defining one specific format file could be define, for example if you just want to use jpg as the site's image format.

Steps to reproduce

Install Drupal 9 or Drupal 10 (Tested with 9.5.3 and 10.0.3)
Install IMCE
Customize admin profile to add several allowed extensions. (this case jpg, jpeg, png)
Try to upload a file by IMCE file manager.
Error: Please find attached the screenshot as the evidence of proof.

Proposed resolution

Hope this report be noticed by the maintainers and resolved hopefully, both in terms of functionality and security concerns.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Closed: works as designed

Version

3.0

Component

Code

Created by

🇮🇷Iran tsotoodeh

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @tsotoodeh
  • Status changed to Closed: works as designed almost 2 years ago
  • Comment almost 2 years ago
    ufku

    Just remove the commas and you'll be fine
    jpg jpeg png

  • Comment almost 2 years ago
    🇮🇷Iran tsotoodeh

    Just remove the commas and you'll be fine

    That's right!
    Does not happen to came across a extension definition which accepts space as a separator!
    Regarding the security concern of defining * as the accepted format for Drupal user1, what are the justification from the security perspective behind this decision? Could you evaluate on this matter? Thank you.

  • Comment almost 2 years ago
    ufku

    "administer imce" permission is flagged as "restrict access" so it should be granted to trusted users only. Even if you have the permission to upload all extensions you'll still need to enable allow_insecure_uploads config option manually in order to upload insecure extensions like php js

  • Comment almost 2 years ago
    🇮🇷Iran tsotoodeh

    That's good answer. By all means it would be good to warn the user1 holder to configure and customize the Admin profile extensions by the time module is installed properly. That would make Drupal aspect, secure as designed in every step of its life cycle. Keep the good work.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024