Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-27216

Invalid image files uploaded through "files" content type or multi file upload are uploaded to var/site/storage/original/image folder

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: 1.9.0-beta1
    • Fix Version/s: QA tracked issues
    • Labels:
    • Environment:

      Operating System: Debian 8
      PHP Version: 5.6.30-0+deb8u1
      Database and version: Mysql 5.5.54-0+deb8u1
      Browser (and version): Firefox 52
      Env: Prod

      Description

      I'm not sure if this applies as an issue, so please evaluate it.
      -If I try to create an "image" using an image file renamed with "php" extension. I'm unable to do so. - ok
      -If I try to create one "file1.php" using the same renamed image file, then the file is created - ok
      -If I tr to create one "file2.php" using a vali dphp file, the file i created - ok as well

      The part I don't know if might be a problem (a security one due eventual php injection...?) is that "file1.php" is saved to "web/var/site/storage/original/image" and the second one, "file2.php" is saved to "web/var/site/storage/original/text"
      So it seems that a validation is done to the file type upon the upload moment and then the location where it is stored depends on that validation.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              paulo.nunes-obsolete@ez.no Paulo Nunes (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: