Contrib.social

User account form can enumerate/view all public files/images by iterating the File ID

Open on Drupal.org →
Created on 19 May 2025, 19 days ago

Problem/Motivation

This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue

It's possible to access any public files/images on the platform without having the right to see it by using the edit user form and setting any file id on the user_picture parameter.

Steps to reproduce

  1. Create a node with a picture uploaded in a field, but don't publish the node.
  2. Create a new user, without any right. It can't access the article because it's not public.
  3. Go to the user edit form at /user/{id}/edit and select any picture. If you look at the request made, this is a POST request to /user/{id}/edit with a parameter user_picture[0][fids]

In this parameter this is the id of the picture you uploaded. But if you replay this request, by using another id like the id of the picture you uploaded in the unpublished article, you will set the user picture with this image.

So by doing that, you can see any pictures on the platform.

And this is because the user edit form only accept pictures, but if you create a form by default with a file upload, you can access all others files, even the unpublished one and those from other users.

Proposed resolution

To be defined what the proposed fix would be, IF this would need a fix.

Remaining tasks

MR

User interface changes

N/A

Introduced terminology

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

TODO

Background information

Please credit following users:

  • aituglo
  • cilefen
  • pwolanin
  • dokumori
  • greggles
  • bramdriesen
🐛 Bug report
Status

Active

Version

11.1 🔥

Component

user.module

Created by

🇧🇪Belgium BramDriesen Belgium 🇧🇪

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @BramDriesen
  • Comment 19 days ago
    🇳🇿New Zealand quietone
  • Comment 18 days ago
    cilefen

    Please also credit kaique peres who also reported the same to security.drupal.org.

  • Comment 18 days ago
    🇧🇪Belgium BramDriesen Belgium 🇧🇪

    Updating IS

  • Comment 18 days ago
    🇧🇪Belgium BramDriesen Belgium 🇧🇪

    Adding a related issue which was mentioned in the private issue queue. However to me that is not the issue here but a broader discussion.

  • Comment 18 days ago
    🇺🇸United States cmlara

    While this is given for the user edit form, presumably this scenario impacts any form with an entity reference and thus the question would be 'should forms provide a validation of entity id's during form submission validation" (would assume this would need some version of a signed response from the server to accompany the FID to assert the user has access to the file?)

    I will note the CORE Rest Route (disabled by default in standard profile, however still available) of entity/file/{file} also reveals sufficient information to obtain the files. Any proposal here should presumably take into account that aspect too.

    access any public files/images on the platform without having the right to see it by... even the unpublished one and those from other users.

    My understanding as a contrib streamWrapper maintainer is that if a site owner wanted to protect those files they were intended to move them into private:// to provide access controls otherwise they were to expect they could be enumerated/viewed as Drupal can not prevent the webserver from directly delivering the files.

  • Comment 18 days ago
    cilefen

    In current scope of the limited case of images which are public, does this bug need to be critical?

  • Comment 18 days ago
    🇧🇪Belgium BramDriesen Belgium 🇧🇪

    Re #7, probably not, but that was the default value when creating a core security issue from the security team docs ;-).

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024