- Issue created by @mingsong
In testing use of the Media Library from the form widget on the Node Edit form, we have discovered that the buildInputElement function used to create the file upload form element is not returning the correct upload element. Notably on an image field, it is returning the standard file_managed_file element rather than the image_widget.
This bypasses the verification of the uploaded files as actual images, resulting in a security issue as it allows any file type to be uploaded as long as the file extension is on the allowed list. These validators such as file_validate_is_image are not called during the entire media entity creation process via Media Library. This allows for potentially problematic files that would otherwise not be able to be uploaded to bypass normal checks.
Secondly this element is hard-coded to have “#multiple” as TRUE even if the source field is limited to one item, allowing multiple files to be uploaded if selected from the system-level file open dialog, as long as they are below the size limit. These files are staged into the sites/files directory, and temporary managed file entities created for them, though no media entities are, only one for the last file uploaded . This allows for “shadow” files to be uploaded for a short time.
TBD
TBD
TBD
TBD
TBD
TBD
Active
11.0 🔥
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.